Switching, Routing, and Wireless Essentials Chapters 10-13
Which type of wireless topology is created when two or more Basic Service Sets are interconnected by Ethernet?
ESS (Extended Service Set)
Which Cisco solution helps prevent MAC and IP address spoofing attacks?
IP Source Guard
What is a recommended best practice when dealing with native VLAN?
Assign it to unused VLAN.
Which AAA component is responsible for controlling who is permitted to access network?
Authentication
In the split MAC architecture for CAPWAP, which of the following are the responsibility of the WLC?
Authentication Association and re-association of roaming clients Termination of 802.11 traffic on wired interface Frame translation to other protocols
What are the best ways to secure WLANs?
Authentication Encryption
In an 802.1X implementation, which device is responsible for relaying responses?
Authenticator
Which AAA component is responsible for determining what user can access? Because of implemented security controls, a user can only access server with FTP. Which AAA component accomplishes this?
Authorization
Which parameter is commonly used to identify a wireless network name when a home wireless AP is being configured?
SSID
A threat actor sends BPDU message with priority 0. What type of attack is this?
STP attack
Which type of telecommunication technology is used to provide Internet access to vessels at sea?
Satellite
What would be the primary reason threat actor would launch MAC address overflow attack?
So that threat actor can see frames that are destined for other devices.
Which of the following wireless networks typically uses lower powered transmitters for short ranges?
WPAN
Which of the following is an IEEE 802.15 WPAN standard that uses a device-pairing process to communicate?
Bluetooth
Which service is enabled on Cisco router by default that can reveal significant information about router and potentially make it more vulnerable to attack?
CDP (Cisco Discovey Protocol)
Which 802.11 standards exclusively use the 5 GHz radio frequency?
802.11a 802.11ac
Which of the following encryption methods uses CCMP to recognize if encrypted and non-encrypted bits have been altered?
AES (Advanced Encryption Standard)
Which wireless topology mode is used by two devices to connect in a peer-to-peer network?
Ad hoc
A threat actor sends message that causes all other devices to believe MAC address of threat actor's device is default gateway. What type of attack is this?
ARP spoofing
Which of the following components are integrated in a wireless home router?
Access point Switch Router
Which AAA component is responsible for collecting and reporting usage data for auditing and billing purposes?
Accounting
What is the term for AP that does not send beacon, but waits for clients to send probes?
Active
A threat actor changes MAC address of threat actor's device to MAC address of default gateway. What type of attack is this?
Addressing spoofing
Which of the following is a standalone device, like home router, where entire WLAN configuration resides on device?
Autonomous AP
What Wi-Fi management frame is regularly broadcast by APs to announce their presence?
Beacon
A threat actor discovers IOS version and IP addresses of local switch. What type of attack is this?
CDP reconnaissance
A user has just purchased a generic home router and would like to secure it. What should be done to help secure wireless home router?
Change default administrator password.
What is a difference between autonomous APs that operate in a home environment and controller-based APs that operate in a corporate environment?
Controller-based APs can be automatically configured and managed by a WLAN controller.
Which of the following mitigation techniques prevents ARP spoofing and poisoning attacks?
DAI (Dynamic ARP Inspection)
Which of the following mitigation techniques prevents DHCP starvation and spoofing attacks?
DHCP snooping
Which two features on Cisco Catalyst switch can be used to mitigate DHCP starvation and spoofing attacks?
DHCP snooping port security
Which Layer 2 attack will result in legitimate users not getting valid IP addresses?
DHCP starvation
Which of the following modulation techniques spreads signal over larger frequency band?
DSSS (Direct-Sequence Spread Spectrum)
A user is configuring wireless access point and wants to prevent any neighbors from discovering network. What action does user need to take?
Disable SSID broadcast
What is the best way to prevent VLAN hopping attack?
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports
Which device monitors SMTP traffic to block threats and encrypt outgoing messages to prevent data loss?
ESA (Email Security Appliance)
Which three Cisco products focus on endpoint security solutions?
Email Security Appliance NAC Appliance Web Security Appliance
Which procedure is recommended to mitigate chances of ARP spoofing?
Enable DHCP snooping on selected VLANs.
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?
Enable port security
Which two roles are typically performed by a wireless router that is used in a home or small business?
Ethernet switch Access point
Which of the following modulation techniques rapidly switches signal among frequency channels?
FHSS (Frequency-Hopping Spread Spectrum)
Laptops that do not have integrated wireless NIC can only be attached to network through wired connection. When you need to expand coverage of a small network, the best solution is to use range extender. DTLS is enabled by default on control and data CAPWAP tunnels. Rogue AP is misconfigured AP connected to network and possible source of DoS attacks.
False
Which of the following mitigation techniques prevents MAC and IP address spoofing?
IPSG (IP Source Guard)
What IP versions does CAPWAP support
IPv4 by default, but can configure IPv6
Which standards organization is responsible for allocating radio frequencies?
ITU-R (International Telecommunication Union Radiocommunication Sector)
Which of the following statements are true about modes of operation for FlexConnect AP?
In standalone mode, WLC is unreachable and AP switches local traffic and performs client authentication locally. In connect mode, WLC is reachable and performs all its CAPWAP functions.
Which feature of 802.11n wireless access points allows them to transmit data at faster speeds than previous versions of 802.11 Wi-Fi standards did?
MIMO (multiple-input and multiple-output)
What type of attack is an "evil twin AP" attack?
MITM
Which WLC tab would network administrator typically use to see summary view of most heavily used WLANs including number of clients using particular WLAN?
Monitor
Which of the following modulation techniques is used in new 802.11ax standard?
OFDMA (Orthogonal Frequency-Division Multiaccess)
Which of the following antennas provide 360 degrees of coverage?
Omnidirectional
Which of the following authentication methods does not use a password shared between the wireless client and the AP?
Open
In the split MAC architecture for CAPWAP, which of the following are the responsibility of the AP?
Packet acknowledgments and retransmissions Beacons and probe responses MAC layer data encryption and decryption Frame queueing and packet prioritization
What is the term for AP that openly advertises its service periodically?
Passive
Which of the following mitigation techniques prevents many types of attacks including MAC address table overflow and DHCP starvation attacks? What mitigation technique must be implemented to prevent MAC address overflow attacks?
Port security
Which security feature should be enabled in order to prevent an attacker from overflowing MAC address table of switch?
Port security
In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server?
RADIUS
What two protocols are supported on Cisco devices for AAA communications?
RADIUS (Remote Authentication Dial-In User Service) TACACS+ (Terminal Access Controller Access Control System)
Where are dynamically learned MAC addresses stored when sticky learning is enabled with switchport port-security mac-address sticky command?
RAM
Which encryption method is used by original 802.11 specification?
RC4 (Rivest Cipher 4)
Which attack encrypts the data on hosts in an attempt to extract a monetary payment from the victim?
Ransomware
A rogue AP is a misconfigured AP connected to the network and a possible source of DoS attacks.
Rogue AP
Which two commands can be used to enable PortFast on switch?
S1(config-if)# spanning-tree portfast S1(config)# spanning-tree portfast default
Which protocol could be used by a company to monitor devices such as a wireless LAN controller (WLC)?
SNMP
Users on an IEEE 802.11n network are complaining of slow speeds. The network administrator checks the AP and verifies it is operating properly. What can be done to improve the wireless performance in the network?
Split the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band.
What is the behavior of switch as a result of successful MAC address table attack?
Switch will forward all received frames to all other ports within VLAN.
A network administrator is configuring DAI on switch with command ip arp inspection validate dst-mac. What is the purpose of this configuration command?
To check destination MAC address in Ethernet header against source MAC address in ARP body
In the 802.1X standard, the client attempting to access the network is referred to as the supplicant. An ESS is created when two or more BSSs need to be joined to support roaming clients.
True
A threat actor configures host with 802.1Q protocol and forms trunk with connected switch. What type of attack is this?
VLAN hopping
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?
VLAN hopping
Which of the following mitigation techniques are used to protect Layer 3 through Layer 7 of OSI Model?
VPN Firewalls IPS devices
Which devices are specifically designed for network security?
VPN-enabled router NGFW (Network Generation Firewall) NAC (Network Access Control)
Which of the following wireless networks are specified in IEEE 802.11 standards for 2.4 GHz and 5 GHz radio frequencies?
WLAN
Which of the following authentication methods has the user enter a pre-shared password?
WPA (Wi-Fi Protected Access) Personal WPA2 Personal
Which method of wireless authentication is currently considered to be the strongest?
WPA2
Which device monitors HTTP traffic to block access to risky sites and encrypt outgoing messages?
WSA (web security appliance)
How many address fields are in the 802.11 wireless frame?
4
Which protocol and port numbers are used by both IPv4 and IPv6 CAPWAP tunnels?
5246 and 5247 UDP
If three 802.11b access points need to be deployed in close proximity, which three frequency channels should be used?
6 5 11
Which IEEE standard operates at wireless frequencies in both the 5 GHz and 2.4 GHz ranges?
802.11n
A network administrator is configuring DHCP snooping on switch. Which configuration command should be used first?
ip dhcp snooping
Which characteristic describes wireless client operating in active mode?
must know SSID to connect to AP
When a wireless network in a small office is being set up, which type of IP addressing is typically used on the networked devices?
private
Which command would be best to use on unused switch port if a company adheres to best practices as recommended by Cisco?
shutdown
What is the purpose of AAA accounting?
to collect and report application usage
What are two types of switch ports that are used on Cisco switches as part of defense against DHCP spoofing attacks?
trusted DHCP port untrusted port
How many channels are available for the 2.4 GHz band in Europe?
13
What UDP ports and IP protocols are used by CAPWAP for IPv6?
136 5246 5247
What UDP ports and IP protocols are used by CAPWAP for IPv4?
17 5246 5247
How many channels are available for the 5 GHz band?
24
An administrator who is troubleshooting connectivity issues on switch notices that switch port configured for port security is in err-disabled state. After verifying cause of violation, how should administrator re-enable port without disrupting network operation?
Issue shutdown command followed by no shutdown command on interface.
Which statement describes an autonomous access point?
It is a standalone access point.
Why is authentication with AAA preferred over a local database method?
It provides fallback authentication method if administrator forgets username or password.
When security is a concern, which OSI Layer is considered to be the weakest link in a network system?
Layer 2
What is involved in an IP address spoofing attack?
Legitimate network IP address is hijacked by rogue node.
Which Layer 2 attack will result in a switch flooding incoming frames to all ports?
MAC address overflow
Which wireless network topology is being configured by a technician who is installing a keyboard, a mouse, and headphones, each of which uses Bluetooth?
ad hoc mode
On what switch ports should PortFast be enabled to enhance STP stability?
all end-user ports
In the context of mobile devices, what does the term tethering involve?
connecting a mobile device to another mobile device or computer to share a network connection
A network administrator is configuring DAI on switch. Which command should be used on uplink interface that connects to router?
ip arp inspection trust